Revision [3785]
Last edited on 2010-08-06 19:22:19 by KenFongAdditions:
===Generate shadow password with openssl===
openssl passwd -1 my-very-secret-password
openssl passwd -1 my-very-secret-password
Revision [3520]
Edited on 2009-09-21 23:50:10 by WikiAdminAdditions:
~ [[FreeRadius Radius]]
Revision [2356]
Edited on 2009-07-03 08:32:19 by WikiAdminAdditions:
obscure use_authtok try_first_pass sha512
Deletions:
Revision [2355]
Edited on 2009-07-03 08:21:13 by WikiAdminAdditions:
Enforce password complexity on ubuntu linux. Install the cracklib module **aptitude install libpam-cracklib**
Deletions:
Revision [2354]
Edited on 2009-07-03 08:19:31 by WikiAdminAdditions:
===PAM ubuntu libpam_cracklib.so===
Enforce password complexity on ubuntu linux.
%%(text;/etc/pam.d/common-password)
# minlen: minimum password length. 7 is generally good
# dcredit: -1 means at least 1 digit
# ocredit: -1 means at least 1 non-alphabetical character
password requisite pam_cracklib.so \
retry=3 minlen=7 dcredit=-1 ocredit=-1
password [success=1 default=ignore] pam_unix.so \
obscure use_authtok try_first_pass sha512
Enforce password complexity on ubuntu linux.
%%(text;/etc/pam.d/common-password)
# minlen: minimum password length. 7 is generally good
# dcredit: -1 means at least 1 digit
# ocredit: -1 means at least 1 non-alphabetical character
password requisite pam_cracklib.so \
retry=3 minlen=7 dcredit=-1 ocredit=-1
password [success=1 default=ignore] pam_unix.so \
obscure use_authtok try_first_pass sha512
Revision [1524]
Edited on 2008-03-23 03:25:44 by WikiAdminAdditions:
**Sub-topics**
Revision [1523]
Edited on 2008-03-23 03:25:30 by WikiAdminAdditions:
~ [[SecurityNIS NIS]]
Revision [1522]
Edited on 2008-03-20 03:08:38 by WikiAdminAdditions:
Read:
Freeradius http://wiki.freeradius.org/HOWTO
Freeradius http://wiki.freeradius.org/HOWTO
Revision [957]
Edited on 2007-09-11 21:15:30 by WikiAdminAdditions:
===Linux password generator===
apg -M sNCL -x8 -m8 -a0
apg -M sNCL -x8 -m8 -a0
Revision [622]
Edited on 2007-06-05 07:58:12 by WikiAdminAdditions:
==Simple password generator== {{Randompw}}
Deletions:
Revision [621]
Edited on 2007-06-05 07:56:28 by WikiAdminAdditions:
Simple password generator: {{Randompw}}
Deletions:
Revision [620]
Edited on 2007-06-05 07:55:35 by WikiAdminAdditions:
Simple password generator: {{"randompw"}}
Revision [593]
Edited on 2007-05-25 11:43:38 by WikiAdminAdditions:
Line 2,4,5,6 indicates that authentication will need to satisfy rules defined in /etc/pam.d/system-auth. Looking at that file, one will find that PAM will try to authenticate user using shadow password, checking /etc/limits, limit password retry count, etc. Failure to satisfy the rules will result in the execution of pam_deny.so (deny login request) and/or pam_warn.so (logging attempt to syslog).
Deletions:
Revision [592]
Edited on 2007-05-25 11:41:14 by WikiAdminAdditions:
Line 2,4,5,6 indicates that authentication will need to satisfy rules defined in /etc/pam.d/system-auth. Looking at that file, one will find that PAM will try to authenticate user using shadow password, checking /etc/limits, limit password retry count, etc.
Deletions:
Revision [591]
Edited on 2007-05-25 11:37:09 by WikiAdminAdditions:
=== PAM ===
PAM (Pluggable Authentication Module) provides authentication services. Here's the /etc/pam.d/login PAM file
%%
#%PAM-1.0
auth required pam_securitytty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
%%
Now let's try to understand it line by line.
Line 1: Check if account is logging in from secure terminal
Line 2: Pass to system-auth's pam setting
Line 3: Check if account's shell is set to nologin
Line 4: Pass to system-auth's pam setting
Line 5: Pass to system-auth's pam setting
Line 6: Pass to system-auth's pam setting
Line 7: Whether to grant additional rights to user
Line 2,4,5,6 indicates that authentication will need to satisfy rules defined in /etc/pam.d/system-auth
PAM (Pluggable Authentication Module) provides authentication services. Here's the /etc/pam.d/login PAM file
%%
#%PAM-1.0
auth required pam_securitytty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
%%
Now let's try to understand it line by line.
Line 1: Check if account is logging in from secure terminal
Line 2: Pass to system-auth's pam setting
Line 3: Check if account's shell is set to nologin
Line 4: Pass to system-auth's pam setting
Line 5: Pass to system-auth's pam setting
Line 6: Pass to system-auth's pam setting
Line 7: Whether to grant additional rights to user
Line 2,4,5,6 indicates that authentication will need to satisfy rules defined in /etc/pam.d/system-auth
Revision [539]
Edited on 2007-05-15 06:17:40 by WikiAdminDeletions:
Download sshdfilter from its [http://www.csc.liv.ac.uk/~greg/sshdfilter web site]
<< Version 1.5.3 is even easier. Just download the source file, run the install script, and create the SSHD iptables chain. Restart syslog and start sshdfilder service. Find log in /var/log/secure<<
Extract the package and copy its rc file to /etc
%%
cp etc/sshdfilterrc /etc/sshdfilterrc
%%
Edit the rc file /etc/sshdfilterrc, default setting blocks attacks for 3 days
Copy sshdfilter.YOUR_PLATFORM to /usr/sbin. rhFC30 works on RHEL4
Edit sshd init script (back it up first of course). On RHEL4, just look in the start() section, and replace like this
%%
# initlog -c "$SSHD $OPTIONS" && success || failure
initlog -c /usr/sbin/sshdfilter && success || failure
%%
Add necessary iptables entries
%%
iptables -N SSHD
iptables -I INPUT 1 -p tcp --dport 22 -j SSHD
#You'd probably want to allow ssh access from a certain server no matter what
iptables -I INPUT 1 -p tcp --dport 22 -s 1.2.3.4 -j ACCEPT
%%
Finally, restart sshd. To check the installation, just look at /var/log/messages, /var/log/secure, and iptables. My iptables after runnng sshdfilter for 1 day:
%%
# iptables
Chain SSHD (1 references)
pkts bytes target prot opt in out source destination
18 1396 DROP tcp -- * * 61.133.95.228 0.0.0.0/0 tcp dpt:22
22 1732 DROP tcp -- * * 222.255.236.12 0.0.0.0/0 tcp dpt:22
22 1732 DROP tcp -- * * 85.25.20.222 0.0.0.0/0 tcp dpt:22
0 0 DROP tcp -- * * 60.250.231.36 0.0.0.0/0 tcp dpt:22
# secure log
sshdfilt[9575]: Cancelled instant block of 165.98.233.4
sshdfilt[9575]: Cancelled instant block of 210.6.69.117
sshdfilt[9575]: Cancelled instant block of 64.150.163.110
sshdfilt[9575]: Cancelled guesswork based block of 218.98.194.140
sshdfilt[9575]: Illegal user name, instant block of 218.1.65.233
sshdfilt[9575]: No ssh id string from client, instant block of 67.82.36.169
sshdfilt[9575]: Illegal user name, instant block of 205.237.97.173
sshdfilt[9575]: Cancelled instant block of 219.239.98.111
sshdfilt[9575]: Cancelled instant block of 218.91.236.93
%%
==protect sshd with iptables==
Got this from google [[http://www.gagme.com/greg/linux/protect-ssh.php Link]]. Never tried it myself.
%%
iptables -A INPUT -m recent --update --seconds 40 --hitcount 5 --name SSH --rsource -j DROP
iptables -A INPUT -m recent --set --name SSH --rsource -p tcp --dport 22 -j ACCEPT
%%
If the rules detect 5 attempts to connect to SSH from any given IP address within 40 seconds, it will prevent further connections to SSH from that IP address. If attempts are continued, the counter is reset, thus prolonging the black hole for that IP address.
=== Protecting ssh with sshguard===
[[http://sourceforge.net/projects/sshguard/ sshguard]] works very similarly to sshdfilter. Just **tail -n0 -F /var/log/secure | sshguard**, and it will do the work for you. Sadly, it works on selected systems only, just like sshdfilter. Maybe different systems produce different formats of error? Anyway, that's a shame. I like the tools.
Revision [538]
Edited on 2007-05-15 04:04:26 by WikiAdminAdditions:
[[http://sourceforge.net/projects/sshguard/ sshguard]] works very similarly to sshdfilter. Just **tail -n0 -F /var/log/secure | sshguard**, and it will do the work for you. Sadly, it works on selected systems only, just like sshdfilter. Maybe different systems produce different formats of error? Anyway, that's a shame. I like the tools.
Deletions:
Revision [537]
Edited on 2007-05-15 04:03:23 by WikiAdminAdditions:
=== Protecting ssh with sshguard===
[[http://sourceforge.net/projects/sshguard/ sshguard]] works very similarly to sshdfilter. Just tail your auth log to sshguard, and it will do the work for you. Sadly, it works on selected systems only, just like sshdfilter. Maybe different systems produce different formats of error? Anyway, that's a shame. I like the tools.
[[http://sourceforge.net/projects/sshguard/ sshguard]] works very similarly to sshdfilter. Just tail your auth log to sshguard, and it will do the work for you. Sadly, it works on selected systems only, just like sshdfilter. Maybe different systems produce different formats of error? Anyway, that's a shame. I like the tools.
Revision [384]
Edited on 2007-04-26 01:23:19 by WikiAdminAdditions:
iptables -A INPUT -m recent --set --name SSH --rsource -p tcp --dport 22 -j ACCEPT
